溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶服務(wù)條款》

ASA842雙鏈路SLA配置測(cè)試

發(fā)布時(shí)間:2020-06-05 20:37:37 來(lái)源:網(wǎng)絡(luò) 閱讀:1519 作者:碧云天 欄目:安全技術(shù)

一.概述:

實(shí)際工作中估計(jì)會(huì)碰到需要用一臺(tái)ASA接兩家ISP線路,比如電信和網(wǎng)通,而又沒有足夠的預(yù)算買負(fù)載均衡設(shè)備,但是又想實(shí)現(xiàn)鏈路負(fù)載分擔(dān)和自動(dòng)切換,從電信來(lái)的流量,從電信線路回去,從網(wǎng)通來(lái)的流量從網(wǎng)通線路回去,當(dāng)其中一條線路出現(xiàn)故障時(shí),所有的流量從沒有出現(xiàn)故障線路走。
二.基本思路:
A.用OSPF模擬運(yùn)營(yíng)商網(wǎng)絡(luò),主要是為了不想手工添加路由

B.通過(guò)添加默認(rèn)路由走電信線路、監(jiān)控電信線路的網(wǎng)關(guān),和高metric的默認(rèn)路由走網(wǎng)通線路,實(shí)現(xiàn):

----電信來(lái)的流量走電信回去(需要C手工配置網(wǎng)通靜態(tài)路由相配合)

----電信鏈路出現(xiàn)故障時(shí),走網(wǎng)通線路

C.通過(guò)添加網(wǎng)通的靜態(tài)路由走網(wǎng)通線路,并監(jiān)控網(wǎng)通線路的網(wǎng)關(guān),實(shí)現(xiàn):

----網(wǎng)通來(lái)的流量走網(wǎng)通回去

----網(wǎng)通鏈路出現(xiàn)故障時(shí),走電信線路的默認(rèn)路由

D.對(duì)于靜態(tài)NAT,實(shí)際環(huán)境只有當(dāng)兩條ISP線路都正常時(shí),才會(huì)同時(shí)能被訪問

E.測(cè)試環(huán)境,實(shí)現(xiàn)靜態(tài)NAT當(dāng)一條線路出現(xiàn)故障時(shí),還能同時(shí)被訪問,實(shí)現(xiàn)的方法是:

---ASA兩個(gè)外部接口配置兩條靜態(tài)NAT

---ASA兩個(gè)相連的ISP路由器把另外一家ISP所NAT的網(wǎng)段發(fā)布出去,并將metric設(shè)置比OSPF默認(rèn)的大

三.測(cè)試拓?fù)洌?/span>

ASA842雙鏈路SLA配置測(cè)試

四.基本配置:
A.R1:
①接口配置:
interface Loopback0
ip address 1.1.1.1 255.255.255.0
interface Loopback61
ip address 61.1.3.1 255.255.255.0
ip ospf network point-to-point
interface Loopback202
ip address 202.100.3.1 255.255.255.0
ip ospf network point-to-point
interface FastEthernet0/0
ip address 202.100.2.1 255.255.255.0
no shut
interface FastEthernet0/1
ip address 61.1.2.1 255.255.255.0
no shut
②路由配置:
router ospf 1
router-id 1.1.1.1
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface FastEthernet0/1
network 61.1.2.1 0.0.0.0 area 0
network 61.1.3.1 0.0.0.0 area 0
network 202.100.2.1 0.0.0.0 area 0
network 202.100.3.1 0.0.0.0 area 0
B:R2:
①接口配置:
interface Loopback0
ip address 2.2.2.2 255.255.255.0
interface FastEthernet0/0
ip address 202.100.1.2 255.255.255.0
no shut
interface FastEthernet0/1
ip address 202.100.2.2 255.255.255.0
no shut
interface FastEthernet1/0
ip address 23.1.1.1 255.255.255.252
no shut
②路由配置:
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface FastEthernet1/0
network 23.1.1.1 0.0.0.0 area 0
network 202.100.1.2 0.0.0.0 area 0
network 202.100.2.2 0.0.0.0 area 0
C.R3:
①接口配置:
interface Loopback0
ip address 3.3.3.3 255.255.255.0
interface FastEthernet0/0
ip address 61.1.1.3 255.255.255.0
no shut
interface FastEthernet0/1
ip address 61.1.2.3 255.255.255.0
no shut
interface FastEthernet1/0
ip address 23.1.1.2 255.255.255.252
no shut
②路由配置:
router ospf 1
router-id 3.3.3.3
passive-interface default
no passive-interface FastEthernet0/1
no passive-interface FastEthernet1/0
network 23.1.1.2 0.0.0.0 area 0
network 61.1.1.3 0.0.0.0 area 0
network 61.1.2.3 0.0.0.0 area 0
D.ASA842:
①接口配置:
interface GigabitEthernet0
nameif Inside
security-level 100
ip address 10.1.1.10 255.255.255.0
no shut
interface GigabitEthernet1
nameif Outside
security-level 0
ip address 202.100.1.10 255.255.255.0
no shut
interface GigabitEthernet2
nameif Backup
security-level 0
ip address 61.1.1.10 255.255.255.0
no shut
②兩條線路的動(dòng)態(tài)PAT配置:
object network inside_net
subnet 0.0.0.0 0.0.0.0
object network inside_any
subnet 0.0.0.0 0.0.0.0
object network inside_net
nat (Inside,Outside) dynamic interface
object network inside_any
nat (Inside,Backup) dynamic interface
③兩條線路的靜態(tài)NAT配置:
object network Inside_host_outside
host 10.1.1.4
object network Inside_host_backup
host 10.1.1.4
object network Outside-to-backup
host 10.1.1.4
object network Backup-to-outside
host 10.1.1.4
object network Inside_host_outside
nat (Inside,Outside) static 202.100.1.4
object network Inside_host_backup
nat (Inside,Backup) static 61.1.1.4
object network Outside-to-backup
nat (Inside,Outside) static 61.1.1.4
object network Backup-to-outside
nat (Inside,Backup) static 202.100.1.4
----每條線路配置兩條NAT,保證一條ISP線路出現(xiàn)故障時(shí),兩條靜態(tài)NAT都能被訪問
④防火墻策略配置:

class-map ALL_IP
match any
policy-map global_policy
class inspection_default
inspect icmp
class ALL_IP
set connection decrement-ttl
service-policy global_policy global
access-list outside extended permit icmp any any
access-list outside extended permit udp any any range 33434 33523
access-list outside extended permit tcp any object Inside_host_outside eq telnet
access-group outside in interface Outside
access-group outside in interface Backup

E:R4:
①接口配置:
interface Loopback0
ip address 192.168.1.4 255.255.255.0
interface FastEthernet0/0
ip address 10.1.1.4 255.255.255.0
no shut
②路由配置:
ip route 0.0.0.0 0.0.0.0 10.1.1.10
③telnet配置:
line vty 0 4
password cisco
login
五.ASA842 SLA及路由配置:
①sla配置:
sla monitor 1
type echo protocol ipIcmpEcho 202.100.1.2 interface Outside
frequency 10
sla monitor schedule 1 life forever start-time now
sla monitor 2
type echo protocol ipIcmpEcho 61.1.1.3 interface Backup
frequency 10
sla monitor schedule 2 life forever start-time now
②track配置:
track 1 rtr 1 reachability
track 2 rtr 2 reachability
③靜態(tài)路由配置:
route outside 0 0 202.100.1.2 1 track 1
route backup 0 0 61.1.1.3 254
---默認(rèn)路由走電信線路,當(dāng)電信線路出現(xiàn)故障時(shí)自動(dòng)切換到網(wǎng)通線路
route Backup 61.1.2.0 255.255.255.0 61.1.1.3 1 track 2
route Backup 61.1.3.0 255.255.255.0 61.1.1.3 1 track 2
---當(dāng)網(wǎng)通線路正常時(shí),到網(wǎng)通的網(wǎng)絡(luò)的數(shù)據(jù)走網(wǎng)通的線路,否則走電信的默認(rèn)路由
route Inside 192.168.1.0 255.255.255.0 10.1.1.4 1
---增加一條回指路由
六.關(guān)于靜態(tài)NAT:
---為了使兩條線路其中一條線路出現(xiàn)故障時(shí),兩個(gè)被靜態(tài)NAT地址都能訪問,需要:
A.每條線路配置兩條靜態(tài)NAT
----前面已經(jīng)配置
B.每個(gè)相連的ISP路由器把另外一家ISP所NAT的網(wǎng)段發(fā)布出去,并將metric設(shè)置比ospf默認(rèn)的大
----這種情況在實(shí)際環(huán)境基本無(wú)法實(shí)現(xiàn),兩家ISP不可能會(huì)幫客戶做這樣的事情,除非給的費(fèi)用足夠多
----測(cè)試環(huán)境下還是可以玩一玩的
①R2路由器:
ip route 61.1.1.0 255.255.255.0 202.100.1.10 254 tag 10
route-map ASA842 permit 10
match tag 10
router ospf 1
redistribute static metric 130 subnets route-map ASA842
②R3路由器:
ip route 202.100.1.0 255.255.255.0 61.1.1.10 254 tag 10
route-map ASA842 permit 10
match tag 10
router ospf 1
redistribute static metric 130 subnets route-map ASA842

七.效果測(cè)試:

A.線路正常的情況下:

R4#traceroute 202.100.3.1 source l0
Type escape sequence to abort.
Tracing the route to 202.100.3.1
1 202.100.1.2 160 msec 108 msec 56 msec
2 202.100.2.1 36 msec * 24 msec
R4#traceroute 61.1.3.1 source l0
Type escape sequence to abort.
Tracing the route to 61.1.3.1
1 61.1.1.3 112 msec 8 msec 0 msec
2 61.1.2.1 112 msec * 68 msec
---去電信的流量走電信,去網(wǎng)通的流量走網(wǎng)通

R1#traceroute 202.100.1.4 source l202
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 32 msec 56 msec 20 msec
2 202.100.1.10 40 msec * 24 msec
3 202.100.1.4 80 msec * 16 msec
R1#traceroute 202.100.1.4 source l61
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 140 msec 180 msec 80 msec
2 202.100.1.10 64 msec * 88 msec
3 202.100.1.4 140 msec * 84 msec
R1#traceroute 61.1.1.4 source l61
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 116 msec 32 msec 0 msec
2 61.1.1.10 4 msec * 4 msec
3 61.1.1.4 208 msec * 128 msec
R1#traceroute 61.1.1.4 source l202
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 8 msec 120 msec 192 msec
2 61.1.1.10 0 msec * 20 msec
3 61.1.1.4 152 msec * 204 msec
----兩個(gè)被靜態(tài)NAT地址都能被訪問,并且電信的地址走電信接口,網(wǎng)通的地址走網(wǎng)通的接口

B.電信線路不正常的情況下:

R4#traceroute 202.100.3.1 source l0
Type escape sequence to abort.
Tracing the route to 202.100.3.1
1 10.1.1.10 188 msec * 28 msec
2 61.1.1.3 44 msec 0 msec 0 msec
3 61.1.2.1 108 msec * 84 msec
R4#traceroute 61.1.3.1 source l0
Type escape sequence to abort.
Tracing the route to 61.1.3.1
1 10.1.1.10 0 msec * 20 msec
2 61.1.1.3 100 msec 32 msec 0 msec
3 61.1.2.1 108 msec * 72 msec
---去電信和網(wǎng)通的流量都走網(wǎng)通
R1#traceroute 202.100.1.4 source l202
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 61.1.2.3 4 msec 184 msec 52 msec
2 61.1.1.10 0 msec * 0 msec
3 202.100.1.4 152 msec * 12 msec
R1#traceroute 202.100.1.4 source l61
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 61.1.2.3 36 msec 4 msec 16 msec
2 61.1.1.10 200 msec * 16 msec
3 202.100.1.4 184 msec * 148 msec
R1#traceroute 61.1.1.4 source l61
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 48 msec 0 msec 0 msec
2 61.1.1.10 4 msec * 32 msec
3 61.1.1.4 148 msec * 180 msec
R1#traceroute 61.1.1.4 source l202
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 61.1.2.3 76 msec 52 msec 0 msec
2 61.1.1.10 0 msec * 16 msec
3 61.1.1.4 172 msec * 112 msec
----電信和網(wǎng)通被靜態(tài)NAT的地址都能被電信和網(wǎng)通的用戶訪問

C.網(wǎng)通線路不正常的情況下:

R4#traceroute 202.100.3.1 source l0
Type escape sequence to abort.
Tracing the route to 202.100.3.1
1 10.1.1.10 8 msec * 28 msec
2 202.100.1.2 108 msec 72 msec 84 msec
3 202.100.2.1 88 msec * 128 msec
R4#traceroute 61.1.3.1 source l0
Type escape sequence to abort.
Tracing the route to 61.1.3.1
1 10.1.1.10 0 msec * 76 msec
2 202.100.1.2 112 msec 96 msec 24 msec
3 202.100.2.1 248 msec * 76 msec
---去電信和網(wǎng)通的流量都走電信
R1#traceroute 202.100.1.4 source l202
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 4 msec 156 msec 76 msec
2 *
202.100.1.10 40 msec *
3 202.100.1.4 68 msec * 24 msec
R1#traceroute 202.100.1.4 source l61
Type escape sequence to abort.
Tracing the route to 202.100.1.4
1 202.100.2.2 92 msec 60 msec 124 msec
2 202.100.1.10 4 msec * 36 msec
3 202.100.1.4 152 msec * 60 msec
R1#traceroute 61.1.1.4 source l61
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 202.100.2.2 32 msec 136 msec 116 msec
2 202.100.1.10 80 msec * 56 msec
3 61.1.1.4 120 msec * 120 msec
R1#traceroute 61.1.1.4 source l202
Type escape sequence to abort.
Tracing the route to 61.1.1.4
1 202.100.2.2 4 msec 140 msec 112 msec
2 202.100.1.10 64 msec * 64 msec
3 61.1.1.4 156 msec * 80 msec
----電信和網(wǎng)通被靜態(tài)NAT的地址都能被電信和網(wǎng)通的用戶訪問

附件:http://down.51cto.com/data/2363080
向AI問一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI